From: "Kamil Jońca" <kjonca@op.pl>
To: netfilter@vger.kernel.org
Subject: Proper way to ipsec filtering
Date: Sun, 17 Apr 2022 08:37:47 +0200 [thread overview]
Message-ID: <878rs48bb8.fsf@alfa.kjonca> (raw)
What is the best way to create rules used to ipsec traffic filtering?
So far I have bunch rules created per reqid like that:
table ip filter { # handle 13
chain INPUT { # handle 1
type filter hook input priority filter; policy drop;
iif "eth0" ipsec in reqid 1 counter packets 100672 bytes 11492891 jump ipsec-in-1 comment "ed19af3c-f504-11e9-b59d-00e081736ba6/1/in" # handle 326
[...]
}
[...]
chain ipsec-in-1 { # handle 323
ip saddr yyy ip daddr xxxx/24 counter packets 50871 bytes 5614784 jump c1 # handle 325
ip protocol ipencap ip daddr zzzz counter packets 49801 bytes 5878107 accept # handle 324
}
}
And insert / remove rules from INPUT (and add / delete ipsec-in-*
chains) during connecting disconnecting clients.
This was I configured when I migrated from iptables some time ago.
But I believe this is not the best method for nftables. So has anybody
suggestion what is the best practicte to handle this situation?
I tried to use maps/vmaps but reqid cannot be use as index.
Am I missing something?
KJ
--
http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
next reply other threads:[~2022-04-17 6:37 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-17 6:37 Kamil Jońca [this message]
2022-04-18 10:14 ` Proper way to ipsec filtering Florian Westphal
2022-04-18 20:41 ` Kamil Jońca
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878rs48bb8.fsf@alfa.kjonca \
--to=kjonca@op.pl \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.